b"Audit Report\n\n\n\n\nOIG-12-047\nTERRORIST FINANCING/MONEY LAUNDERING: FinCEN\xe2\x80\x99s BSA\nIT Modernization Program Is on Schedule and Within Cost,\nBut Requires Continued Attention to Ensure Successful\nCompletion\nMarch 26, 2012\n\n\n\n\nOffice of\nInspector General\nDepartment of the Treasury\n\x0c\x0cContents\n\nAudit Report\n\n  Results in Brief ............................................................................................ 2\n\n  Background ................................................................................................ 5\n\n  Findings ................................................................................................... 8\n\n      FinCEN Prepared a Credible Business Case and Established a Project\n      Management Office for Developing BSA IT Mod ......................................... 8\n\n      BSA IT Mod Program Is Generally on Schedule But Certain Projects\n      Are Delayed; Planning Costs Were Not Recorded in the IT Dashboard .......... 14\n\n      FinCEN Needs to Address SOR Concerns ................................................... 18\n\n  Recommendations ....................................................................................... 21\n\nAppendices\n\n  Appendix     1:      Objectives, Scope, and Methodology ......................................              24\n  Appendix     2:      Additional Background Information on BSA IT Mod ...................                    28\n  Appendix     3:      BSA Data Flow Environment ..................................................           31\n  Appendix     4:      Management Response .........................................................          34\n  Appendix     5:      Major Contributors to This Report ...........................................          36\n  Appendix     6:      Report Distribution ................................................................   37\n\nAbbreviations\n\n  BSA                  Bank Secrecy Act\n  BSA Direct           BSA Direct Retrieval and Sharing\n  BSA IT Mod           BSA Information Technology Modernization Program\n  CIO                  Chief Information Officer\n  E-300                Exhibit 300\n  EVM                  earned value management\n  FinCEN               Financial Crimes Enforcement Network\n  GAO                  Government Accountability Office\n  IRS                  Internal Revenue Service\n  IT                   Information Technology\n\n                       FinCEN\xe2\x80\x99s BSA IT Modernization Program Is on Schedule and Within Cost,               Page i\n                       But Requires Continued Attention to Ensure Successful Completion\n                       (OIG-12-047)\n\x0cMITRE     MITRE Corporation\nMMO       Modernization Management Office\nOCIO      Office of the Chief Information Officer\nOIG       Office of Inspector General\nOMB       Office of Management and Budget\nPMO       Project Management Office\nSOR       system of record\nTEOAF     Treasury Executive Office of Asset Forfeiture\nWebCBRS   Web-based Currency and Banking Retrieval System\n\n\n\n\n          FinCEN\xe2\x80\x99s BSA IT Modernization Program Is on Schedule and Within Cost,   Page ii\n          But Requires Continued Attention to Ensure Successful Completion\n          (OIG-12-047)\n\x0c                                                                                       Audit\nOIG\nThe Department of the Treasury\n                                                                                       Report\nOffice of Inspector General\n\n\n\n\n                     March 26, 2012\n\n                     James H. Freis, Jr., Director\n                     Financial Crimes Enforcement Network\n\n                     The Financial Crimes Enforcement Network (FinCEN) administers\n                     the Bank Secrecy Act (BSA), which establishes the framework to\n                     combat criminal use of the financial system. BSA requires financial\n                     institutions to report certain financial transactions made by their\n                     customers. These reports are currently stored in an Internal\n                     Revenue Service (IRS) system.\n\n                     In November 2006, FinCEN began a system development effort,\n                     the BSA Information Technology Modernization Program (BSA IT\n                     Mod), to improve the collection, analysis, and sharing of BSA data.\n                     It is intended that the BSA data will transition from IRS to FinCEN\n                     as part of this effort. BSA IT Mod is a $120 million effort and is to\n                     be completed in 2014. It follows a previously failed system\n                     development effort known as BSA Direct Retrieval and Sharing\n                     (BSA Direct), terminated in July 2006 when FinCEN concluded it\n                     had no guarantee of success. We reviewed that failure and\n                     concluded that FinCEN poorly managed the predecessor project,\n                     insufficiently defined functional and user requirements, misjudged\n                     project complexity, and established an unrealistic completion date.\n                     We also found that the Treasury Office of the Chief Information\n                     Officer (OCIO) did not actively oversee the project, as required by\n                     the Clinger-Cohen Act of 1996. 1\n\n\n\n1\n Treasury Office of Inspector General (OIG), The Failed and Costly BSA Direct R&S System\nDevelopment Effort Provides Important Lessons for FinCEN\xe2\x80\x99s BSA Modernization Program (OIG-11-057;\nJan. 5, 2011).\n\n                     FinCEN\xe2\x80\x99s BSA IT Modernization Program Is on Schedule and Within Cost,   Page 1\n                     But Requires Continued Attention to Ensure Successful Completion\n                     (OIG-12-047)\n\x0c                       Pursuant to a Congressional directive, 2 we conducted this audit to\n                       assess (1) whether FinCEN established an appropriate business\n                       case for developing BSA IT Mod and has been following sound\n                       management principles and federal guidance in planning and\n                       implementing the system and (2) the status of BSA IT Mod\xe2\x80\x99s cost,\n                       schedule, and performance through May 2011.\n\n                       To accomplish our objectives, we interviewed FinCEN program\n                       officials, Treasury OCIO officials, IRS officials currently involved\n                       with managing and using BSA data, and law enforcement users.\n                       We also reviewed applicable program documentation. We\n                       performed our fieldwork from November 2010 to September 2011.\n                       Appendix 1 provides a more detailed description of our audit\n                       objectives, scope, and methodology. Appendix 2 contains\n                       additional background information on BSA IT Mod.\n\n\nResults in Brief\n                       We concluded that FinCEN prepared a credible business case for\n                       developing BSA IT Mod. FinCEN considered four alternatives,\n                       developed cost estimates and estimated benefits for each, and\n                       actively engaged stakeholders for input. FinCEN also restructured\n                       to strengthen management and oversight of the project.\n                       Furthermore, the Treasury OCIO has been actively overseeing BSA\n                       IT Mod.\n\n\n\n2\n Senate Report (S. Rept) 112-79 regarding BSA IT Mod included a reporting directive for the Treasury\nOIG as follows:\n\n    \xe2\x80\x9cThe Committee directs that the Inspector General [Treasury OIG] shall focus resources, when\n    practical, on audits of the Bank Secrecy Act Information Technology Modernization project\n    currently being planned and implemented by Treasury\xe2\x80\x99s Financial Crimes Enforcement Network.\n    The Committee directs that the Inspector General shall submit a written report to the Committee\n    regarding this project, including contractor oversight and progress regarding budget and\n    schedule, on March 31, 2012 and semiannually thereafter.\xe2\x80\x9d\n\nThe Conference Report on the fiscal year 2012 appropriations acts that included Treasury (Pub.L.\nNo. 112-74, House Report 112-331) addresses the reporting directive from S. Rept 112-79 and\nnotes that both the House and Senate Committees on Appropriations should receive copies of the\nreport.\n\n                       FinCEN\xe2\x80\x99s BSA IT Modernization Program Is on Schedule and Within Cost,       Page 2\n                       But Requires Continued Attention to Ensure Successful Completion\n                       (OIG-12-047)\n\x0c                       As of May 2011, FinCEN reported to the Office of Management\n                       and Budget (OMB) that BSA IT Mod is on schedule and within an\n                       acceptable 10 percent cost threshold. 3 We found that the program\n                       is generally within scheduled milestones, though the development\n                       of certain projects has been delayed by more than the 10 percent\n                       of scheduled milestones. We also found that FinCEN incurred\n                       planning costs of $11.2 million that were not recorded in the IT\n                       Dashboard. 4 According to FinCEN officials, the Treasury OCIO and\n                       OMB were aware of the planning costs and agreed that the costs\n                       did not have to be recorded in the IT Dashboard.\n\n                       Successful and timely completion of BSA IT Mod is, in part,\n                       dependent on completion of the system of record (SOR). The SOR\n                       is the authoritative data store for all BSA data in the BSA IT Mod\n                       program. 5 FinCEN is developing a new SOR and in early 2011\n                       experienced delays. In March 2011, FinCEN extended some SOR\n                       development and testing milestones because of reported\n                       complexities, such as the additional time the contractor needed to\n                       ensure all business rules were configured correctly. As of\n                       November 2011, FinCEN had conducted initial systems integration\n                       testing of the SOR and government acceptance testing was\n                       continuing. 6 In December 2011, we requested the results from\n                       FinCEN for any completed testing but because testing was still\n                       underway, FinCEN was unable to provide those results. We plan to\n\n3\n  Pub.L. No. 111-350, \xc2\xa7 3103, states that it is the policy of Congress that the head of agencies should\nachieve, on average, 90 percent of the cost, performance, and schedule goals established for major\nacquisition programs.\n4\n  The IT Dashboard is a Web site enabling federal agencies, industry, the general public, and other\nstakeholders to view details of federal information technology investments. The purpose of the IT\nDashboard is to provide information on the effectiveness of government IT programs and to support\ndecisions regarding the investment and management of resources. FinCEN provides data for the IT\nDashboard using earned value management (EVM). EVM measures the value of work accomplished in a\ngiven period. Differences in these values are measured in both cost and schedule variances.\nExplanations must be provided for variances of 10 percent and are subject to corrective action plans,\nbaseline change requests or termination. FinCEN contracted with MITRE Corporation (MITRE) to provide\nan independent validation to ensure the accuracy of EVM data.\n5\n  The SOR will be an information storage system that will be the authoritative data source for BSA data.\n6\n  Integration testing is a software development process in which program components are combined\nand tested. Integration testing can expose problems with the interfaces among program components\nbefore trouble occurs in real-world program execution. A system test that allows the government to\nindependently verify aspects of the functionality tested during system testing to determine the system's\nfitness for implementation.\n\n                       FinCEN\xe2\x80\x99s BSA IT Modernization Program Is on Schedule and Within Cost,      Page 3\n                       But Requires Continued Attention to Ensure Successful Completion\n                       (OIG-12-047)\n\x0c                      review the testing results as part of our ongoing oversight of the\n                      program.\n\n                      Certain IRS users have concerns about the SOR change because of\n                      its impact on IRS\xe2\x80\x99s Web-based Currency Banking and Retrieval\n                      System (WebCBRS), and other IRS systems that depend on BSA\n                      data. 7 WebCBRS is not able to use BSA data in the new SOR\n                      format. FinCEN agreed to provide BSA data from its E-filing system\n                      in the same format IRS currently uses and map back the data from\n                      the new BSA forms in the E-filing system to the old (current) form\n                      format in WebCBRS. 8 This modification was not in FinCEN\xe2\x80\x99s\n                      original development plan as it was initially assumed all IRS users\n                      would transition to the new system. In this regard, there had been\n                      some contemplation that WebCBRS would be retired, but that\n                      proved not possible. This is a critical issue for IRS because it is a\n                      major user of BSA data.\n\n                      We are recommending that FinCEN (1) in conjunction with IRS,\n                      ensure in the short term that IRS\xe2\x80\x99s WebCBRS data needs are met\n                      and, in the long term, assist IRS to ensure data requirements are\n                      incorporated into IRS\xe2\x80\x99s modernization efforts; and (2) ensure that,\n                      for future major capital investments, required submissions to OMB\n                      include full life-cycle cost estimates in accordance with OMB\n                      Circular A-11 9 and that thorough documentation supporting\n                      estimates is maintained. In light of IRS\xe2\x80\x99s data mapping concerns,\n                      and consistent with the directive in S. Rept 112-79 and H. Rept\n                      112-331, we plan in 2012 to review FinCEN\xe2\x80\x99s system modification\n                      for WebCBRS. Additionally, as BSA IT Mod progresses through\n                      completion in 2014, we plan to continue to monitor and report\n                      every 6 months on FinCEN\xe2\x80\x99s development and deployment of the\n                      system.\n\n\n7\n  WebCBRS is IRS\xe2\x80\x99s data warehouse and information retrieval system.\n8\n  As part of BSA IT Mod effort, FinCEN consolidated each of the various financial institution currency\ntransaction reports and suspicious activity reports into a single set of forms, and increased the data\ncaptured on the forms. FinCEN had proposed that the new forms be implemented by June 30, 2012. In\nDecember 2011, FinCEN announced that the deadline to start using the new forms was extended to\nMarch 31, 2013.\n9\n  OMB Circular A-11, \xe2\x80\x9cPreparation, Submission, and Execution of the Budget,\xe2\x80\x9d establishes policy for\nplanning, budgeting, acquisition, and management of federal capital assets, and instructs on budget\njustification and reporting requirements for major information technology (IT) investments.\n\n                      FinCEN\xe2\x80\x99s BSA IT Modernization Program Is on Schedule and Within Cost,     Page 4\n                      But Requires Continued Attention to Ensure Successful Completion\n                      (OIG-12-047)\n\x0c        In its management response, FinCEN concurred with the\n        recommendations. FinCEN stated that it has mitigated challenges\n        experienced during development of the SOR. In the short term,\n        FinCEN will provide BSA data to WebCBRS via the current E-Filing\n        system and formats. In support of the longer-term goal, FinCEN has\n        been asked to participate on the IRS\xe2\x80\x99s Integrated Project Team to\n        define the IRS BSA data end-state solution. FinCEN\xe2\x80\x99s involvement\n        on the team includes providing the technical specifications for bulk\n        data distribution, answering questions related to new BSA data\n        structures, and providing support as requested.\n\n        Regarding future major capital investments, FinCEN stated in its\n        response that it currently has none planned. However, when such a\n        time comes, FinCEN will ensure that required submissions to OMB\n        comply with OMB\xe2\x80\x99s Circular A-11 and that required documentation\n        supporting cost estimates are maintained.\n\n        The actions taken and planned by FinCEN meet the intent of our\n        recommendations. The FinCEN management response is provided\n        in appendix 4.\n\n\nBackground\n        FinCEN\xe2\x80\x99s mission is to safeguard the financial system from the\n        abuses of financial crime, including terrorist financing, money\n        laundering, and other illicit activity. FinCEN achieves this mission\n        by administering BSA; supporting law enforcement, intelligence,\n        and regulatory agencies through sharing and analysis of financial\n        intelligence; building global cooperation with counterpart financial\n        intelligence units; and networking people, ideas, and information.\n        The USA PATRIOT ACT of 2001 added other requirements,\n        including, among other things, tasking FinCEN with the\n        development of a highly secure network to allow financial\n        institutions to electronically file BSA forms and provide financial\n        institutions with alerts and other information regarding suspicious\n        activities that warrant immediate and enhanced scrutiny.\n\n\n\n        FinCEN\xe2\x80\x99s BSA IT Modernization Program Is on Schedule and Within Cost,   Page 5\n        But Requires Continued Attention to Ensure Successful Completion\n        (OIG-12-047)\n\x0c                      FinCEN has responsibility for overseeing the management,\n                      processing, storage, and dissemination of BSA data, but currently\n                      does not collect, store, or maintain the data. Since BSA reporting\n                      requirements became law in 1970, IRS\xe2\x80\x99s Enterprise Computing\n                      Center in Detroit has collected and stored these data. BSA data are\n                      processed and warehoused in IRS\xe2\x80\x99s WebCBRS. (See appendix 3 for\n                      a depiction of the BSA data flow environment.)\n\n                      In 2004, FinCEN initiated the BSA Direct project to transition BSA\n                      data management responsibilities from IRS, but terminated the\n                      project in July 2006, before completion. Four months later, in\n                      November 2006, FinCEN worked with business leaders and\n                      stakeholders to establish its IT Modernization Vision and Strategy\n                      and formulate its BSA IT Mod initiative. In 2008, Treasury\xe2\x80\x99s\n                      Executive Investment Review Board deemed BSA IT Mod a\n                      Departmental priority. 10 FinCEN expects BSA IT Mod to improve\n                      FinCEN\xe2\x80\x99s BSA data analysis, standardize the data for customers,\n                      capture customer data usage and access patterns, improve data\n                      security, and largely eliminate paper filing.\n\n                      BSA IT Mod is a multi-year development program that will cost\n                      about $120 million. Total system life-cycle cost, including\n                      operation and maintenance expense through 2020, is expected to\n                      total about $233 million. FinCEN will need about $41 million in\n                      additional funding through 2014 to complete the program. Should\n                      FinCEN not receive all of the funds required to complete the\n                      program in its 2013 through 2014 annual appropriations, either\n                      separately or in combination with funds from the Treasury\n                      Executive Office of Asset Forfeiture (TEOAF), FinCEN may have to\n                      delay the program\xe2\x80\x99s completion to future years.11 Congress\n                      rejected FinCEN\xe2\x80\x99s fiscal year 2012 budget request to transfer $30\n                      million from TEOAF to fund the BSA IT Mod development program\n                      and instead appropriated $18.5 million in FinCEN\xe2\x80\x99s 2012 annual\n                      budget. TEOAF has supplemented the funding of the BSA IT Mod\n\n10\n   The Treasury Executive Investment Review Board provides executive oversight to Treasury\xe2\x80\x99s\ninvestment planning and management process.\n11\n   TEOAF administers the Treasury Forfeiture Fund, which is the receipt account for deposit of non-tax\nforfeitures made pursuant to laws enforced or administered by participating Treasury and Department of\nHomeland Security agencies. The Fund was established in 1992 as the successor to what was then the\nCustoms Forfeiture Fund.\n\n                      FinCEN\xe2\x80\x99s BSA IT Modernization Program Is on Schedule and Within Cost,     Page 6\n                      But Requires Continued Attention to Ensure Successful Completion\n                      (OIG-12-047)\n\x0c                      program to a total of $27 million through fiscal year 2011. FinCEN\n                      is still working with the Department and TEOAF to provide\n                      additional funding, but there is no guarantee that this will be\n                      approved. 12\n\n                      In 2008, FinCEN contracted with Deloitte Consulting, LLP, to\n                      oversee the systems development and integration effort. FinCEN\n                      also contracted with MITRE to provide management guidance,\n                      coordination, and evaluation support for BSA IT Mod.13 MITRE is a\n                      subject matter expert on program and project management, and\n                      BSA IT Mod business capabilities.\n\n                      Figure 1 provides a timeline identifying significant events in the\n                      BSA IT Mod program.\n\n\n\n\n12\n   One funding source administered by TEOAF is the Treasury Forfeiture Super Surplus Fund.\nDistributions from this Fund in excess of $500,000 cannot be used until Appropriations Committees\nfrom both Houses of Congress are notified. Notification to Congress occurs after OMB approves the\nTEOAF Super Surplus plan.\n13\n   MITRE is a not-for-profit organization chartered to work in the public interest with expertise in\nsystems engineering, information technology, operational concepts, and enterprise modernization.\nAmong other things, it manages federally funded research and development centers, including one for\nIRS and U.S. Department of Veterans Affairs (the Center for Enterprise Modernization). Under\nTreasury\xe2\x80\x99s existing contract with MITRE, Treasury and its bureaus, with permission of the IRS sponsor,\nmay contract for support in the following task areas: strategic management, technical management,\nprogram and project management, procurement, and evaluation and audit to facilitate the modernization\nof systems and their business and technical operation.\n\n                      FinCEN\xe2\x80\x99s BSA IT Modernization Program Is on Schedule and Within Cost,     Page 7\n                      But Requires Continued Attention to Ensure Successful Completion\n                      (OIG-12-047)\n\x0cFigure 1. Timeline of Significant Events in FinCEN\xe2\x80\x99s BSA System Modernization Efforts\n\n                     January 2007 \xe2\x80\x93\n                     December 2009                    May 2010                                          April 2014\n  July 2006        FinCEN develops IT                Beginning of                                        Planned\n    FinCEN        governance process,                 design and       December 2011                      system\n  terminates    stakeholders\xe2\x80\x99 needs, and             development        Completion of                  development\n  BSA Direct          business case                     phase          SOR (release 1)                  completion\n\n\n2006        2007           2008        2009          2010           2011       2012         2013           2014\n\n\n     November 2006                 January 2009                        July 2011           March 2013\n  FinCEN establishes IT             Beginning of                         FinCEN          Planned release\n  modernization, vision             initiation and                   realigns costs           of last\n  and strategy and sets            planning phase                     and adjusts        scheduled BSA\n      modernization                                                     schedule             IT Mod\n       foundation                                                                          component\n\n\nSource: OIG review of FinCEN data.\n\n\n\nFindings\n\nFinding 1                 FinCEN Prepared a Credible Business Case and\n                          Established a Project Management Office for Developing\n                          BSA IT Mod\n\n                          FinCEN prepared a credible business case before beginning\n                          development of BSA IT Mod. FinCEN identified four alternatives\n                          (including maintaining the current system), compared the costs and\n                          benefits of each, and determined that a new system was the best\n                          alternative. We concluded that its determination was reasonable\n                          and supported by the business case. FinCEN also restructured its\n                          information technology (IT) division and created the Modernization\n                          Management Office (MMO) to manage the BSA IT Mod program.\n                          FinCEN\xe2\x80\x99s concept, approach, planning, and planned oversight\n                          mechanism generally followed OMB Circular A-11 and related best\n                          practices guidelines.\n\n\n\n\n                          FinCEN\xe2\x80\x99s BSA IT Modernization Program Is on Schedule and Within Cost,               Page 8\n                          But Requires Continued Attention to Ensure Successful Completion\n                          (OIG-12-047)\n\x0c                           FinCEN Prepared a Business Case with Four Alternatives\n\n                           As far back as 2003, FinCEN determined the IRS\xe2\x80\x99s legacy system\n                           housing BSA data was antiquated and did not meet user and\n                           stakeholder needs. In developing the business case for BSA IT\n                           Mod, FinCEN determined that, among other things, the system\n                           needed to provide more advanced analytical capability, reduce\n                           costly and intensive manual processes, improve data integrity,\n                           capture data usage and access patterns, solicit and provide\n                           feedback to customers, and otherwise improve the customer\xe2\x80\x99s\n                           experience. As a result, FinCEN identified several alternatives,\n                           including the costs, benefits, and risks associated with each. Based\n                           on its assessment of those alternatives, FinCEN determined that a\n                           new system was the best option.\n\n                           In accordance with OMB\xe2\x80\x99s Circular A-94, FinCEN evaluated four\n                           alternatives for BSA IT Mod, including the status quo and three\n                           system upgrades. 14 The alternatives FinCEN evaluated are\n                           identified below in table 1.\n\n             Table 1: BSA IT Mod Alternatives\n                                                                          Development and             Life-cycle\n                                                                            implementation             estimate\n             Alternative       Description                             estimate (in millions)      (in millions)\n                   1           Status quo                                             $23.3              $65.7\n                   2           New government-owned                                   122.0              243.6\n                               system\n                    3          Augment current systems                                165.0              315.2\n                    4          New contractor-owned                                   158.0              316.4\n                               system\n             Source: OIG analysis of FinCEN data.\n\n\n                           FinCEN chose to develop a new government-owned system,\n                           alternative 2, for BSA IT Mod. Alternative 2 resulted in the lowest\n                           overall life-cycle cost of a system upgrade\xe2\x80\x94an estimated $243.6\n                           million. 15 FinCEN selected alternative 2 over the status quo\n                           because the status quo provided only limited benefits and did not\n                           align with FinCEN\xe2\x80\x99s modernization vision and strategy.\n\n14\n     Circular A-94, \xe2\x80\x9cGuidelines and Discount Rates For Benefit-Cost Analysis of Federal Programs.\xe2\x80\x9d\n15\n     Life-cycle cost estimates for alternative 2 were later adjusted to $233 million.\n\n                           FinCEN\xe2\x80\x99s BSA IT Modernization Program Is on Schedule and Within Cost,          Page 9\n                           But Requires Continued Attention to Ensure Successful Completion\n                           (OIG-12-047)\n\x0c                       In identifying and selecting from the alternatives, FinCEN followed\n                       guidelines established in OMB Circulars A-11 and A-94, which\n                       supports the Clinger Cohen Act of 1996. 16 The guidelines provide\n                       general guidance for agencies conducting cost-benefit and cost-\n                       effectiveness analyses to support the government\xe2\x80\x99s decision to\n                       initiate, review, or expand programs that extend for 3 or more\n                       years. In evaluating a decision to acquire a capital asset, the\n                       guidelines state that agency analysis should generally consider\n                       (1) doing nothing; (2) making a direct purchase; (3) upgrading,\n                       renovating, sharing, or converting existing government property; or\n                       (4) leasing or contracting for services.\n\n                       FinCEN worked with MITRE to develop the cost estimates using an\n                       IRS cost model built from historical data from similar system\n                       initiatives. IRS conducted a high-level review of FinCEN\xe2\x80\x99s costing\n                       methodology and found it to be reasonable and the overall\n                       approach sound. FinCEN also tasked MITRE to conduct an\n                       independent assessment of IRS\xe2\x80\x99s WebCBRS, as well as FinCEN\xe2\x80\x99s\n                       legacy systems, and examine the feasibility of enhancing current\n                       systems to meet modernization requirements. 17 MITRE\xe2\x80\x99s\n                       assessment concluded that upgrading existing IRS and FinCEN\n                       systems was not a viable option and that the cost to modify these\n                       systems, if even possible, would be as expensive as developing a\n                       new system.\n\n                       In further defining BSA IT Mod user requirements, FinCEN engaged\n                       stakeholder advisory groups, mainly through FinCEN\xe2\x80\x99s Data\n                       Management Council meetings. Stakeholder participants included\n                       regulators, law enforcement, and industry users of BSA data.\n                       FinCEN also asked IRS for guidance and input. Table 2 shows the\n                       stakeholder groups who provided input to FinCEN regarding BSA IT\n                       Mod.\n\n\n16\n   The Clinger-Cohen Act of 1996 is intended to improve the productivity, efficiency, and effectiveness\nof federal programs by improving the acquisition, use, and disposal of information technology resources\nthat includes requiring agencies to base decisions about information technology investments on\nquantitative and qualitative factors associated with their costs, benefits, and risks.\n17\n   FinCEN\xe2\x80\x99s legacy systems include Secure Outreach, Gateway, and various analytical software\napplications. Secure Outreach and Gateway allow users access to the BSA data.\n\n                       FinCEN\xe2\x80\x99s BSA IT Modernization Program Is on Schedule and Within Cost,    Page 10\n                       But Requires Continued Attention to Ensure Successful Completion\n                       (OIG-12-047)\n\x0cTable 2: BSA IT Mod Advisory Groups\nEntity                       Functions include                         Participating members\nFinCEN\xe2\x80\x99s Integrated          Developing a vision and strategy          Individuals from\nProject Team                 for the BSA IT Mod. Ongoing               business and IT\n                             responsibilities are to define and        organizations within\n                             validate internal and external user       FinCEN who represent\n                             requirements, as well as participate      internal users\n                             in user acceptance testing.\nData Management              Serving as the primary forum to           Federal law enforcement and\nCouncil                      validate requirements and design          regulatory agencies, including\n                             efforts and for giving the                IRS\n                             stakeholder community the ability to\n                             provide input into FinCEN\xe2\x80\x99s\n                             operational model for managing BSA\n                             data.\nBSA Advisory Group           Assisting FinCEN in obtaining             Federal law enforcement and\n                             additional feedback on specific           regulatory agencies; industry\n                             modernization efforts and the             representatives subject to the\n                             impact of the BSA IT Mod effort to        reporting requirements of the\n                             stakeholders.                             BSA\nSource: OIG review of FinCEN data.\n\n\n            The stakeholders we spoke with believed overall that the\n            modernized program will meet their expectations and is needed to\n            enhance the current system. They told us FinCEN effectively\n            communicated and provided the opportunity to participate through\n            the Data Management Council. They also expressed satisfaction\n            with the extent to which FinCEN maintained a balance between\n            what law enforcement and the regulator community wants, as well\n            as how it responded to stakeholder needs and concerns.\n\n            We believe FinCEN\xe2\x80\x99s decision to build a new system was justified\n            based on the business case it developed. It should be noted,\n            however, that we were not able to fully validate FinCEN\xe2\x80\x99s cost\n            estimates because FinCEN could not provide detailed supporting\n            documentation beyond the summary level for hardware and\n            software cost estimates, cost savings and benefits, contracting\n            services costs, and operations and maintenance, and other costs.\n            According to best practices identified by the Government\n            Accountability Office (GAO), estimates should be thoroughly\n            documented (including source data, a narrative, clearly detailed\n            calculations, and results) so that a cost analyst unfamiliar with the\n\n\n            FinCEN\xe2\x80\x99s BSA IT Modernization Program Is on Schedule and Within Cost,       Page 11\n            But Requires Continued Attention to Ensure Successful Completion\n            (OIG-12-047)\n\x0c                       program can recreate it quickly with the same results. 18 MITRE\n                       officials overseeing the development of BSA IT Mod acknowledged\n                       to us that cost estimates should have been better documented.\n                       This is a matter FinCEN should address when embarking on future\n                       systems development programs.\n\n                       FinCEN Strengthened Its IT Management for BSA IT Mod\n\n                       FinCEN underwent significant change following the failure of BSA\n                       Direct. For example, there were changes in senior leadership and a\n                       Project Management Office (PMO) was created to plan and execute\n                       future IT projects, like BSA IT Mod.\n\n                       With these changes, FinCEN restructured its IT Division. 19 As\n                       previously stated, within this division, FinCEN established the MMO\n                       to provide daily management of BSA IT Mod. In addition, FinCEN\xe2\x80\x99s\n                       PMO separately reviews and assesses the MMO\xe2\x80\x99s practices and\n                       processes related to risk, quality, scheduling, governance, and\n                       change management. 20\n\n                       Table 3 shows Treasury\xe2\x80\x99s and FinCEN\xe2\x80\x99s overall management and\n                       oversight structure for BSA IT Mod.\n\n\n\n\n18\n   GAO Cost Estimating and Assessment Guide: Best Practices for Developing and Managing Capital\nProgram Costs (GAO-09-3SP, Mar. 2009).\n19\n   FinCEN is organized into five separate divisions. FinCEN\xe2\x80\x99s information technology division is currently\ncalled the Technical Services and Solutions Division and is headed by its Chief Information Officer (CIO).\n20\n   The MMO is governed by an internal board, which reports to the FinCEN CIO, and is comprised of\nFinCEN\xe2\x80\x99s Assistant Directors, an Enterprise Architect (Deputy CIO), and three Senior Advisors.\n\n                       FinCEN\xe2\x80\x99s BSA IT Modernization Program Is on Schedule and Within Cost,      Page 12\n                       But Requires Continued Attention to Ensure Successful Completion\n                       (OIG-12-047)\n\x0cTable 3: BSA IT Mod Governance, Oversight, and Management Structure\nEntity                   Roles and responsibilities          Participating members\nModernization            Oversees the BSA IT                 3 members - Treasury CIO, IRS\nExecutive Group          governance and investment           Deputy Commissioner, and\n(provides for            decision management                 FinCEN Director\nexternal and             process\ninternal\ngovernance)\nExecutive Steering       Ensures BSA IT Mod                  7 members - Treasury CIO,\nCommittee                objectives are met, risks are       FinCEN Associate Directors, IRS\n(provides for            managed appropriately, and          executives (3 members)\nexternal and             expenditure of resources are\ninternal                 fiscally sound\ngovernance)\nInvestment Review        Reviews the project\xe2\x80\x99s               9 members - FinCEN\xe2\x80\x99s Director,\nBoard (internal          status, risks, and cost             Chief Counsel, Deputy Director,\nFinCEN oversight)        decision                            Associate Directors, and other\n                                                             FinCEN staff as required\nEnterprise Planning      Addresses technical,                FinCEN CIO and Assistant\nBoard (internal          business, and/or                    Directors.\nFinCEN oversight)        organizational changes at\n                         the enterprise level\nProject                  Provides internal review and        FinCEN Assistant Director for\nManagement               assessment of MMO                   the Project Management Office\nOffice (internal         practices                           and staff\nFinCEN oversight)\nModernization            Provides daily management           FinCEN\xe2\x80\x99s BSA IT Mod program\nManagement               of BSA IT Mod                       manager and project managers\nOffice (internal\nFinCEN\nmanagement\nfunction)\nProject Review           Performs weekly status              FinCEN\xe2\x80\x99s Technology Solutions\nBoard (internal          review of projects that             and Services Division\nFinCEN                   examine risks and Technical         management, project managers,\nmanagement               Review Board                        and contractor personnel\nfunction)                recommendations\nTechnical Review         Reviews technical                   FinCEN\xe2\x80\x99s Assistant Director for\nBoard (internal          configuration and                   the Office of Infrastructure\nFinCEN                   requirements change                 Operations and Hosting;\nmanagement               requests                            Technology Solutions and\nfunction)                                                    Services Division staff,\n                                                             contractor personnel\nSource: OIG review of FinCEN data.\n\n           FinCEN\xe2\x80\x99s PMO completed an internal assessment of the program\xe2\x80\x99s\n           initiation and planning stages in May 2010. The assessment\n           FinCEN\xe2\x80\x99s BSA IT Modernization Program Is on Schedule and Within Cost,      Page 13\n           But Requires Continued Attention to Ensure Successful Completion\n           (OIG-12-047)\n\x0c            determined that FinCEN produced a strong set of planning\n            documents, supporting artifacts and processes tied closely to\n            agency policy and best practices. Although the assessment also\n            found evidence that areas of the project were having difficulties\n            operating to plan, this was attributed to normal \xe2\x80\x9cgrowing pains\xe2\x80\x9d for\n            new programs, and these issues were actively being addressed and\n            improved.\n\n            The internal assessment found successful incorporation of previous\n            lessons learned and recommendations by GAO and other reviewers,\n            resulting in a comprehensive set of thorough and integrated\n            planning documents. Overall, the assessment concluded that\n            FinCEN demonstrated a successful execution of the program\xe2\x80\x99s\n            initiation and planning stages.\n\n            Treasury\xe2\x80\x99s OCIO is also providing oversight of BSA IT Mod. The\n            office included the program on Treasury\xe2\x80\x99s high visibility list,\n            subjecting the program to extra scrutiny and attention. We found\n            that the Treasury OCIO regularly reviews FinCEN\xe2\x80\x99s EVM program\n            reporting, tracks its status on OMB\xe2\x80\x99s IT Dashboard, and provides\n            regular status briefings to OMB.\n\n            The Treasury CIO is a member of the Modernization Executive\n            Group and Executive Steering Committee that oversees the BSA IT\n            Mod program. We interviewed a former acting Treasury CIO\n            serving in these roles during 2010 and 2011, who stated that\n            FinCEN has been open and transparent in providing information on\n            the status of the program.\n\nFinding 2   BSA IT Mod Program Is Generally on Schedule But\n            Certain Projects Are Delayed; Planning Costs Were Not\n            Recorded in the IT Dashboard\n\n            As of May 2011, FinCEN reported to OMB that BSA IT Mod is on\n            schedule and within an acceptable 10 percent cost threshold. We\n            found that the program is generally within scheduled milestones,\n            though the development of certain projects has been delayed by\n            more than the 10 percent of scheduled milestones. We also found\n            that FinCEN incurred planning costs of $11.2 million that were not\n\n            FinCEN\xe2\x80\x99s BSA IT Modernization Program Is on Schedule and Within Cost,   Page 14\n            But Requires Continued Attention to Ensure Successful Completion\n            (OIG-12-047)\n\x0crecorded in the IT Dashboard. According to FinCEN officials, the\nTreasury OCIO and OMB were aware of the planning costs and\nagreed that the costs did not have to be recorded in the IT\nDashboard.\n\nBSA IT Mod Has Generally Met All Scheduled Milestones\n\nIn May 2010, FinCEN completed the program\xe2\x80\x99s initiation and\nplanning phases and entered the design phase. As of May 2011,\nthe program has successfully met all scheduled milestones,\nalthough certain projects have exceeded development milestones\nby 10 percent. FinCEN program management officials told us the\nschedule slippages were primarily due to the need for further\ndevelopment and testing of the program\xe2\x80\x99s SOR. This is discussed\nin more detail in the next section.\n\nTable 4 displays the schedule status of BSA IT Mod by project.\n\n\n\n\nFinCEN\xe2\x80\x99s BSA IT Modernization Program Is on Schedule and Within Cost,   Page 15\nBut Requires Continued Attention to Ensure Successful Completion\n(OIG-12-047)\n\x0cTable 4: BSA IT Mod Schedule Status by Project as of May 31, 2011\n                                                            Projected\nProject                          Start date                 end date          Status\nInfrastructure\n       Establish and test\n       infrastructure            May 2010                   Sep 2010          Completed\n       Release1                  May 2010                   Mar 2011          Completed\n       Release 2                 Mar 2011                   Sep 2011          On schedule\n       Release 3                 Jul 2011                   Jun 2012          Not begun\nRegistered user portal           May 2010                   Mar 2011          Completed\nIdentity management\nAccess management                May 2010                   Mar 2011          Completed\nData conversion                  May 2010                   Dec 2011          On Schedule\nSystem of record\n       Release 1                 May 2010                   Oct 2011          13% behind schedule\n       Release 2                 Oct 2011                   Jun 2012          Not begun\n Data dissemination\n       Release 1                 May 2010                   Oct 2011          19% behind schedule\n       Release 2                 Sep 2011                   Jun 2012          Not begun\nShared filing services\n       Release 1                 May 2010                   Oct 2011          27% behind schedule\n       Release 2                 Oct 2011                   Jun 2012          Not begun\nThird party data\n       Release 1                 May 2010                   Oct 2011          On schedule\n       Release 2                 Sep 2011                   Jun 2012          Not begun\nE-filing\n       Release 1                 Sep 2010                   Jun 2011          25% behind schedule\n       Release 2                 Jul 2011                   Oct 2011          25% behind schedule\nAlerts                           Oct 2011                   Sep 2012          Not begun\nAdvanced analytics\n       Release 1                 Jun 2010                   Oct 2010          Completed\n       Release 2                 Nov 2010                   Apr 2011          Completed\n       Release 3                 May 2011                   Jul 2012          Not beguna\nBSA query\n       Release 1                 Feb 2011                   Mar 2012          36% behind schedule\n       Release 2                 Apr 2012                   Oct 2012          Not beguna\nBroker knowledge exchange (314(a) and 314(b))\n       Release 1                 Sep 2010                   Jun 2011          Completed\n       Release 2                 Jun 2011                   Sep 2011          Not begun\nSource: FinCEN\xe2\x80\x99s BSA IT Modernization Integrated Master Schedule and Program Management\nReview (May 2011).\na\n In January 2012, FinCEN reported to us that in December 2011 advanced analytics release 3 and\nBSA query were behind schedule. In February 2012, FinCEN reported to us that data conversion and\nrelease 1 of system of record, shared filing services, third party data, and E-filing were all completed\non time and within budget. We plan to review related documentation as part of our ongoing oversight\nof the program.\n\n\n\n           FinCEN\xe2\x80\x99s BSA IT Modernization Program Is on Schedule and Within Cost,               Page 16\n           But Requires Continued Attention to Ensure Successful Completion\n           (OIG-12-047)\n\x0c                       Costs Are Underreported\n\n                       FinCEN projects that the cost to design, develop, and in 2014,\n                       deploy the BSA IT Mod will be $120 million. BSA IT Mod is\n                       estimated to have a life-cycle through at least 2020. 21\n                       Enhancements and maintenance once deployed are projected to\n                       cost approximately $21.7 million annually. Estimated total costs for\n                       the program are projected to reach $233 million during its life-\n                       cycle. As of May 31, 2011, a FinCEN program official and program\n                       documentation revealed that $32.4 million has been spent on work\n                       associated with the program. However, excluded from the $32.4\n                       million is an estimated $11.2 million in additional program costs\n                       incurred from 2008 through 2010. BSA IT Mod\xe2\x80\x99s actual program\n                       costs as of that date, therefore, are approximately $43.6 million.\n\n                       We asked FinCEN officials why costs prior to May 2010 were not\n                       captured. The officials told us that early costs were not included\n                       because FinCEN did not receive approval from OMB to begin using\n                       funds for system design until May 2010. This is when the program\n                       moved beyond its planning phase.\n\n                       FinCEN did not report in its Exhibit 300 (E-300) submissions to\n                       OMB the $11.2 million in program life-cycle costs incurred from\n                       2008 through 2010, although such reporting is required by OMB\n                       Circular A-11. 22 According to FinCEN officials, OMB was aware\n                       that these costs were not being included. In addition, Treasury\xe2\x80\x99s\n                       original cost estimates for developing BSA IT Mod were based on\n                       the assumption that IRS\xe2\x80\x99s WebCBRS would be retired when the\n                       BSA IT Mod was completed. The intent to retire WebCBRS was an\n                       important consideration on the part of OMB when it gave its\n                       approval for FinCEN to proceed with BSA IT Mod.\n\n\n21\n   Life-cycle costs include all initial costs, plus the periodic or continuing costs of operation and\nmaintenance (including staffing costs), and any costs of decommissioning or disposal.\n22\n   Circular A-11 requires that E-300s be submitted for all major investments. A major investment is\ndefined as a system or acquisition requiring special management attention because of its importance to\nthe mission or function of the agency, a component of the agency or another organization; is for\nfinancial management and obligates more than $500,000 annually; has significant program or policy\nimplications; has high executive visibility; has high development, operating, or maintenance costs; is\nfunded through other than direct appropriations; or is defined as major by the agency\xe2\x80\x99s capital planning\nand investment control process. The E-300 data is used to populate the IT Dashboard.\n\n                       FinCEN\xe2\x80\x99s BSA IT Modernization Program Is on Schedule and Within Cost,     Page 17\n                       But Requires Continued Attention to Ensure Successful Completion\n                       (OIG-12-047)\n\x0c                       However, in November 2009, FinCEN became aware that IRS\n                       needed to continue to use WebCBRS to support its tax\n                       administration functions. In April 2010, OMB and Treasury\n                       determined that the retirement of WebCBRS could not occur as\n                       planned and agreed to de-couple the need to retire WebCBRS from\n                       proceeding with BSA IT Mod. IRS estimates it will cost about $5\n                       million annually to keep WebCBRS operational.\n\nFinding 3              FinCEN Needs to Address SOR Concerns\n\n                       Successful and timely completion of BSA IT Mod is, in part,\n                       dependent on completion of FinCEN\xe2\x80\x99s new SOR. The SOR is\n                       planned to be the authoritative data store for all BSA data in the\n                       BSA IT Mod program. This SOR will be a data-centric designed\n                       system, focusing on the BSA data and the relationships between\n                       the data elements\xe2\x80\x94resulting in, among other things, expected\n                       greater data standardization, flexibility, and ability to better support\n                       downstream analytics. In contrast, WebCBRS is a form-centric\n                       system as it is focused on and coded by BSA form type, which\n                       makes changes to the data structure more difficult and time\n                       consuming\xe2\x80\x94the coding is difficult to change and changes impact\n                       each form within the system and every application with which it\n                       interfaces.\n\n                       During our review, FinCEN determined that the SOR project was\n                       likely to take more than 10 percent longer than originally planned\n                       to complete. Accordingly, FinCEN submitted a baseline schedule\n                       change request, which was approved by Treasury OCIO and\n                       accepted by OMB. The change request extended the SOR schedule\n                       by 2 months to December 2011. The SOR is a critical component\n                       of BSA IT Mod and the delays that occurred in its development\n                       could have a ripple effect on other projects yet completed. FinCEN\n                       will need to continue to carefully manage the program. 23\n\n\n\n23\n   In January 2012, FinCEN reported to us that in December 2011 advanced analytics release 3 and\nBSA query were behind schedule. In February 2012, FinCEN reported to us that data conversion and\nrelease 1 of system of record, shared filing services, third party data, and E-filing were all completed on\ntime and within budget. We plan to review related documentation as part of our ongoing oversight of\nthe program.\n\n                       FinCEN\xe2\x80\x99s BSA IT Modernization Program Is on Schedule and Within Cost,        Page 18\n                       But Requires Continued Attention to Ensure Successful Completion\n                       (OIG-12-047)\n\x0cIn addition, certain IRS officials expressed concern to us regarding\nFinCEN\xe2\x80\x99s new SOR. Specifically, their concern is that IRS will\ncontinue to maintain WebCBRS and, as a result, will not be able to\ndirectly upload BSA data in the new SOR format. As a workaround,\nFinCEN is planning to provide the BSA data from its E-filing system\nin the same format IRS currently uses. FinCEN will also map back\nthe data from the new BSA forms in the E-filing system to the old\n(current) form format in WebCBRS. IRS needs WebCBRS to\ncommunicate effectively with its other tax-related systems. At the\ntime of our review, FinCEN had not completed development and\ntesting of its data mapping effort to ensure IRS receives data in the\nformat it needs. It should be noted that this is a critical issue for\nIRS because it is a major user of BSA data.\n\nComplexity of the Program\xe2\x80\x99s SOR Development\n\nAs noted above, the SOR is the authoritative data store for all BSA\ndata and a key element in BSA IT Mod. Setbacks in SOR\ndevelopment could put BSA IT Mod at risk of delay, or even failure.\nThe SOR is to contain 11 years worth of BSA data (current year\nplus 10 prior years that are currently housed in WebCBRS), and will\nensure chain of custody to the data. As part of the BSA IT Mod\nprogram\xe2\x80\x99s responsibility for maintaining filing history of BSA data,\nthe SOR will capture normal filing information and collect additional\ninformation associated with E-filing\xe2\x80\x94things like the date the BSA\ndata was received, acceptance and rejection decisions, and filing\nerror statistics and metrics.\n\nFinCEN program documentation showed that SOR development\ncomplexities resulted in the need for additional iterations in the\ndevelopment and testing of the SOR and the need to ensure all the\nbusiness rules and data mapping were correct prior to conversion.\nBusiness rules are coding programmed into the system that require\nBSA filers to input specific data based on their responses to other\ndata fields. Complexity of business rules increase with the number\nof data choices that a filer can select. Depending on the filer\xe2\x80\x99s\nselection, the business rules will determine the additional data\nfields to be completed or left blank. For example, in filing a\ncurrency transaction report, the filer can chose to file a report\nabout an individual or a business entity. Should the filer choose to\n\nFinCEN\xe2\x80\x99s BSA IT Modernization Program Is on Schedule and Within Cost,   Page 19\nBut Requires Continued Attention to Ensure Successful Completion\n(OIG-12-047)\n\x0c                      file a report about a business entity (as opposed to an individual),\n                      the business rules will require there be no associated first or middle\n                      name, and that those fields be left blank.\n\n                      As discussed above, to address the complexities of the SOR,\n                      FinCEN added iterations to its development and testing. As a\n                      result, FinCEN had to submit a baseline schedule change request,\n                      which was approved by Treasury OCIO and accepted by OMB. The\n                      change request extended the SOR schedule date by 2 months.\n\n                      IRS and Mapping Concerns\n\n                      IRS is a major user of BSA data. With the implementation of BSA\n                      IT Mod, IRS\xe2\x80\x99s role will change from being the SOR administrator to\n                      a customer. FinCEN, as the SOR administrator, will be responsible\n                      for providing the data to IRS and its other users.\n\n                      Officials from both IRS\xe2\x80\x99s Modernization IT Services and its Criminal\n                      Investigations Division expressed concerns about the effect\n                      FinCEN\xe2\x80\x99s new SOR will have on IRS\xe2\x80\x99s operations. Specifically, they\n                      are concerned because the new SOR format is not compatible with\n                      WebCBRS and other related systems. 24 In this regard, they stated\n                      that FinCEN is not only changing the way the data is organized in\n                      the database but is also adding data elements. In an April 2010\n                      Treasury presentation to OMB, it was noted that IRS estimated\n                      that it could cost $59 million to replace WebCBRS.\n\n                      To accommodate WebCBRS until it is replaced, FinCEN and IRS\n                      officials agreed that FinCEN will provide BSA data from its E-filing\n                      system in the same format as IRS currently uses. (See appendix 3\n                      for a depiction of the BSA data flow environment.) This means that\n                      FinCEN will need to map the data back from the new BSA forms\n                      format in the E-filing system to the old BSA forms (current) format\n                      in IRS\xe2\x80\x99s WebCBRS. However, IRS has expressed concern that the\n\n24\n  FinCEN\xe2\x80\x99s SOR uses an extensible markup language (XML) format while the WebCBRS file format uses\nAmerican Standard Code for Information Interchange (ASCII). These formats refer to the way data is\nstored in the computer file. ASCII is an older plain text file, traditionally used by many types of\nprograms. XML format is newer, more compatible with Internet applications, and the new U.S.\nGovernment standard. FinCEN plans to provide bulk data to IRS and certain other users in either ASCII\nor XML format.\n\n                      FinCEN\xe2\x80\x99s BSA IT Modernization Program Is on Schedule and Within Cost,   Page 20\n                      But Requires Continued Attention to Ensure Successful Completion\n                      (OIG-12-047)\n\x0c           data may not map properly; that is, new data fields may not\n           correspond to WebCBRS\xe2\x80\x99s current data fields. IRS is also\n           concerned that during this process some BSA data could be lost\n           when data in the new format is truncated to fit into the old format.\n\n           The need to map BSA data for WebCBRS purposes was not in\n           FinCEN\xe2\x80\x99s original BSA IT Mod plan. In this regard, the original plan\n           was for WebCBRS to be retired once BSA IT Mod was fully\n           operational, but that proved not possible. Given IRS\xe2\x80\x99s needs, we\n           consider the mapping project to be a critical undertaking.\n           Accordingly we plan to assess FinCEN\xe2\x80\x99s progress on this in future\n           work.\n\n           FinCEN\xe2\x80\x99s CIO told us the data IRS receives in the future will be no\n           worse than the data it currently receives. IRS and other BSA data\n           users will also be able to access the data from FinCEN once its\n           modernized query function becomes available.\n\n           As mentioned above, IRS and FinCEN agreed that FinCEN would\n           continue to provide the data in the same format currently used by\n           IRS\xe2\x80\x99s WebCBRS, and that this would continue until the IRS\n           determines how its downstream systems will be upgraded.\n\n           We queried several other users of BSA data in law enforcement\n           and the regulatory and financial industry as to whether they had\n           concerns regarding BSA IT Mod. They did not. Stakeholders also\n           did not have concerns over the cost to the government as a whole\n           or the expense they may incur in the future to update their IT\n           systems to be compatible with FinCEN\xe2\x80\x99s new system.\n\n\nRecommendations\n           We recommend that the FinCEN Director:\n\n           1. In conjunction with IRS, ensure in the short term that IRS\xe2\x80\x99s\n               WebCBRS data needs are met and; in the long term, assist IRS\n               to ensure data requirements are incorporated into IRS\xe2\x80\x99s\n               modernization efforts.\n\n\n\n           FinCEN\xe2\x80\x99s BSA IT Modernization Program Is on Schedule and Within Cost,   Page 21\n           But Requires Continued Attention to Ensure Successful Completion\n           (OIG-12-047)\n\x0c    Management Response\n\n    FinCEN, in the short term, will provide BSA data to WebCBRS\n    via the current E-Filing system and formats. In support of the\n    longer-term goal, FinCEN has been asked to participate on the\n    IRS\xe2\x80\x99s Integrated Project Team to define the IRS BSA data end-\n    state solution. FinCEN\xe2\x80\x99s involvement on the team includes\n    providing the technical specifications for bulk data distribution,\n    answering questions related to new BSA data structures, and\n    providing support as requested.\n\n    OIG Comment\n\n    The actions taken and planned by FinCEN meet the intent of our\n    recommendation.\n\n2. Ensure that, for future major capital investments, required\n   submissions to OMB include full life-cycle cost estimates in\n   accordance with OMB Circular A\xe2\x80\x9311 and that through\n   documentation supporting estimates is maintained.\n\n    Management Response\n\n    FinCEN currently does not have a future major capital\n    investment planned. However, when such a time comes,\n    FinCEN will ensure that required submissions to OMB comply\n    with OMB\xe2\x80\x99s Circular A-11 and that required documentation\n    supporting costs estimates are maintained.\n\n    OIG Comment\n\n    The above commitment by FinCEN meets the intent of our\n    recommendation.\n\n\n\n\nFinCEN\xe2\x80\x99s BSA IT Modernization Program Is on Schedule and Within Cost,   Page 22\nBut Requires Continued Attention to Ensure Successful Completion\n(OIG-12-047)\n\x0c                                 ******\n\nWe appreciate the cooperation and courtesies extended to our staff\nduring the audit. If you wish to discuss the report, you may\ncontact me at (617) 223-8640 or, Audit Manager Mark Ossinger,\nat (617) 223-8643. Major contributors to this report are listed in\nappendix 7.\n\n\n/s/\nDonald P. Benson\nDirector\n\n\n\n\nFinCEN\xe2\x80\x99s BSA IT Modernization Program Is on Schedule and Within Cost,   Page 23\nBut Requires Continued Attention to Ensure Successful Completion\n(OIG-12-047)\n\x0cAppendix 1\nObjectives, Scope, and Methodology\n\n\n\n\nThe objective of our review was to determine and report on\nwhether the Financial Crimes Enforcement Network (FinCEN)\nestablished an appropriate business case and was following sound\nmanagement principles and federal guidance in planning and\nimplementing the Bank Secrecy Act Information Technology\nModernization Program (BSA IT Mod). We reviewed FinCEN\xe2\x80\x99s\nbusiness case for developing the system and the program\ngovernance model FinCEN established to supervise and monitor the\ndevelopment progress, and determined the status of the program\xe2\x80\x99s\ncost, schedule, and performance through May 2011.\n\nTo accomplish our objective, we interviewed a variety of officials,\nincluding FinCEN program officials, Treasury Office of Chief\nInformation Officer (OCIO) officials, Internal Revenue Service (IRS)\nofficials currently involved with managing and using Bank Secrecy\nAct (BSA) data, and law enforcement users, and reviewed\napplicable program documentation. We performed our fieldwork\nfrom November 2010 to September 2011.\n\nAt FinCEN, officials we interviewed included the following:\n\n\xe2\x80\xa2   The Chief Information Officer (CIO) and the BSA IT Mod\n    program manager to gain information on the history of BSA IT\n    Mod, a perspective on each individual\xe2\x80\x99s knowledge and level of\n    involvement, cost and schedule concerns, and overall progress\n    of the program.\n\n\xe2\x80\xa2   The Deputy Chief Financial Officer and lead budget analyst to\n    gain a general understanding of the cost and funding for the\n    BSA IT Mod.\n\n\xe2\x80\xa2   The Assistant Director and the lead assessor of FinCEN\xe2\x80\x99s\n    Project Management Office to understand their roles in BSA IT\n    Mod and to discuss their assessments of the program\xe2\x80\x99s\n    practices.\n\nExternal to FinCEN, we interviewed the following officials.\n\n\xe2\x80\xa2   The Director and the chief of strategic planning and analysis of\n    the Treasury Executive Office for Asset Forfeiture Fund in\n\nFinCEN\xe2\x80\x99s BSA IT Modernization Program Is on Schedule and Within Cost,   Page 24\nBut Requires Continued Attention to Ensure Successful Completion\n(OIG-12-047)\n\x0cAppendix 1\nObjectives, Scope, and Methodology\n\n\n\n\n    Washington, D.C., to obtain an understanding of the Treasury\n    Forfeiture Fund role as a source of funding for BSA IT Mod.\n\n\xe2\x80\xa2   Contracting officials at the Acquisitions Services Directorate of\n    the U.S. Department of the Interior in Herndon, Virginia, to\n    understand Interior\xe2\x80\x99s role as the contracting office for BSA IT\n    Mod.\n\n\xe2\x80\xa2   Deloitte LLP\xe2\x80\x99s managing director at the Deloitte offices in\n    Washington, D.C., to understand Deloitte\xe2\x80\x99s role in BSA IT Mod\n    and ascertain the program\xe2\x80\x99s status.\n\n\xe2\x80\xa2   MITRE representatives in McLean, Virginia, as well as at FinCEN\n    headquarters to gain an understanding of MITRE\xe2\x80\x99s role as the\n    federally funded research and development contractor, level of\n    involvement with the program, as well as issues, concerns, and\n    other significant matters observed.\n\n\xe2\x80\xa2   The Treasury Associate CIO for Planning and Management, and\n    the Treasury OCIO desk officer to understand their roles in\n    overseeing BSA IT Mod.\n\n\xe2\x80\xa2   IRS officials in New Carrolton, Maryland, and Detroit, Michigan.\n    We spoke with officials from IRS\xe2\x80\x99s Small Business/Self-\n    Employed Unit, Modernization, Information Technology and\n    Security Services Division, and Criminal Investigation Division to\n    understand IRS\xe2\x80\x99s involvement and to determine their needs and\n    concerns as future users of FinCEN\xe2\x80\x99s modernized system. We\n    also interviewed the lead IRS cost estimator to discuss the\n    results of his review of the FinCEN\xe2\x80\x99s BSA IT Mod\xe2\x80\x99s cost\n    estimates.\n\n\xe2\x80\xa2   IRS\xe2\x80\x99s Associate CIO, Applications Development Group, to gain\n    an understanding of her role with BSA IT Mod, coordination\n    between IRS and FinCEN, and concerns regarding the program.\n\n\xe2\x80\xa2   Various members of the BSA IT Mod stakeholder community,\n    including officials or staff with the Federal Bureau of\n    Investigations, Office of the Comptroller of Currency,\n\nFinCEN\xe2\x80\x99s BSA IT Modernization Program Is on Schedule and Within Cost,   Page 25\nBut Requires Continued Attention to Ensure Successful Completion\n(OIG-12-047)\n\x0cAppendix 1\nObjectives, Scope, and Methodology\n\n\n\n\n    Immigration and Customs Enforcement, Federal Deposit\n    Insurance Corporation, United States Secret Service, American\n    Bankers Association, and FinCEN\xe2\x80\x99s Integrated Project Team. We\n    discussed their needs and concerns regarding BSA IT Mod, and\n    discussed FinCEN\xe2\x80\x99s outreach to their respective organizations\n    for input on program requirements.\n\nWe reviewed program-related information that FinCEN provided to\nus including the original and updated Exhibit-300s, the CIO\xe2\x80\x99s IT\nsupport services contract file, management reports, minutes from\nexecutive, management and technical meetings, planning\ndocumentation, program and project level documentation, FinCEN\xe2\x80\x99s\nanalysis of alternatives, and various FINCEN presentations.\n\nIn addition, we reviewed program management briefings and status\nreports, internal and external program performance assessment\nreports, and related documentation to assess program performance\nstatus, risks, and issues. We did not assess program test results as\ntesting had not been completed during the audit period.\n\nWe reviewed background information including (1) the Federal\nAcquisition Regulation; (2) FinCEN\xe2\x80\x99s Strategic Plan for 2008-2012\nand 2010 Annual Report; and (3) laws, regulations, guidance, and\nTreasury directives applicable to capital planning and investment\ncontrol and managing information systems and information\ntechnology.\n\nWe initially requested from FinCEN all documentation associated\nwith BSA IT Mod. FinCEN informed us, however, that\ndocumentation could not be provided unless we specifically\nidentified by name the documentation needed. Because we did not\nknow the specific names of most of the program-related\ndocuments to request, this resulted in us having to make numerous\nrequests for what we consider to be basic documentation and data\nthat could have been provided up-front in response to our initial\ninformation request. This is a matter of concern that was discussed\nwith FinCEN officials at the exit conference for this audit report.\n\nWe conducted this performance audit in accordance with generally\naccepted government auditing standards. Those standards require\n\nFinCEN\xe2\x80\x99s BSA IT Modernization Program Is on Schedule and Within Cost,   Page 26\nBut Requires Continued Attention to Ensure Successful Completion\n(OIG-12-047)\n\x0cAppendix 1\nObjectives, Scope, and Methodology\n\n\n\n\nthat we plan and perform the audit to obtain sufficient, appropriate\nevidence to provide a reasonable basis for our findings and\nconclusions based on our audit objectives. We believe that the\nevidence obtained provides a reasonable basis for our findings and\nconclusions based on our audit objectives.\n\n\n\n\nFinCEN\xe2\x80\x99s BSA IT Modernization Program Is on Schedule and Within Cost,   Page 27\nBut Requires Continued Attention to Ensure Successful Completion\n(OIG-12-047)\n\x0c                        Appendix 2\n                        Additional Background Information on BSA IT Mod\n\n\n\n\n                        The Financial Crimes Enforcement Network (FinCEN) is developing\n                        the Bank Secrecy Act Information Technology Modernization\n                        Program (BSA IT Mod) using a system development life-cycle\n                        process, which divides the program into phases and related\n                        deliverables. BSA IT Mod has 7 phases and 5 milestones, as shown\n                        in table 5 below. 25 FinCEN reported that two phases, project\n                        initiation and domain architecture, are complete.\n\nTable 5: BSA IT Mod Phases\nPhase                                Description                           Period of performance\nProject Initiation                   Milestone 1 \xe2\x80\x93 scope/goals             January 2009 thru April\n                                     definition                            2010\nDomain Architecture                  Milestone 2 \xe2\x80\x93 specification of        January 2009 thru April\n                                     operating concept and structure       2010\n                                     of the solution\nPreliminary Design                   Milestone 3- logical design of all    Ongoing since May 2010\n                                     solution components\nDetail Design                        Milestone 4A- physical design of      Ongoing since May 2010\n                                     solution components\nDevelopment                          Milestone 4B- coding,                 Ongoing since May 2010\n                                     integration, testing and\n                                     certification of solutions\nDeployment                           Milestone 5 \xe2\x80\x93 expanding               Ongoing since May 2010\n                                     availability of solution to users\nOperations and Maintenance                                                 Until system retirement\nSource: OIG review of FinCEN data.\n\n\n                        The BSA IT Mod program is made up of numerous projects with\n                        specific components. A summary of the projects are described\n                        below:\n\n                        \xe2\x80\xa2   Infrastructure \xe2\x80\x94 Provides the design, development,\n                            procurement, and implementation of the development and test\n                            environments, storage area network(s), and disaster recovery\n                            capabilities required to support the other BSA IT Mod projects.\n\n                        \xe2\x80\xa2   Register User Portal/Identity Management/Access Control\n                            Management \xe2\x80\x94 Provides a common user interface and\n\n25\n  Milestones are interim products or checkpoints along the system development life-cycle to confirm\nthat the proper steps are being followed, and to indicate progress towards completion of a phase or a\nproject.\n\n\n                        FinCEN\xe2\x80\x99s BSA IT Modernization Program Is on Schedule and Within Cost,        Page 28\n                        But Requires Continued Attention to Ensure Successful Completion\n                        (OIG-12-047)\n\x0cAppendix 2\nAdditional Background Information on BSA IT Mod\n\n\n\n\n    authentication process through which authorized users will gain\n    access to all future BSA IT Mod applications. Registered users\n    will include both internal and external customers.\n\n\xe2\x80\xa2   BSA E-Filing \xe2\x80\x94 Develops the system by which BSA filers will\n    submit all required documentation to FinCEN.\n\n\xe2\x80\xa2   Shared Filing Services \xe2\x80\x94 Assists in the validation of BSA data\n    based on external data sources, such as validating addresses\n    with the U.S. Postal Service.\n\n\xe2\x80\xa2   BSA Data System of Record /Data Dissemination/Third Party\n    Data \xe2\x80\x94 Implements the data storage and architecture for all\n    BSA related data. Includes the implementation of third-party\n    data ingestion, comparisons, and storage. Implements the\n    distribution of large quantities of BSA data to external\n    consumers.\n\n\xe2\x80\xa2   Data Conversion \xe2\x80\x94 Completes the conversion of 11 years of\n    BSA data from the legacy system to the new system of record.\n\n\xe2\x80\xa2   Alerts - Provides the ability to automatically alert analysts to\n    any suspicious activity based on pre-defined criteria.\n\n\xe2\x80\xa2   Advanced Analytics \xe2\x80\x94 Implements complex search and retrieval\n    functionality required by internal and external users to support\n    analytical, law enforcement, and regulatory activities. Provides\n    advanced analytical capabilities such as geospatial, statistical\n    analysis, social networking, semantic interchange, and\n    visualization capabilities.\n\n\xe2\x80\xa2   BSA Query \xe2\x80\x94 Implements a tool designed to improve authorized\n    users\xe2\x80\x99 ability to access and analyze BSA data.\n\n\xe2\x80\xa2   Broker Knowledge Exchange \xe2\x80\x94 Provides content management\n    and collaboration support for internal and external stakeholder\n    communities.\n\n\n\nFinCEN\xe2\x80\x99s BSA IT Modernization Program Is on Schedule and Within Cost,   Page 29\nBut Requires Continued Attention to Ensure Successful Completion\n(OIG-12-047)\n\x0c                       Appendix 2\n                       Additional Background Information on BSA IT Mod\n\n\n\n\n                       In March 2008, FinCEN awarded a 5-year indefinite delivery,\n                       indefinite quantity (IDIQ) contract 26 to BearingPoint, Inc., in\n                       connection with the BSA IT Mod. The contract was subsequently\n                       transferred to Deloitte Consulting, LLP. 27 The contract ceiling is a\n                       maximum of $144 million and a minimum of $1 million over the\n                       contract\xe2\x80\x99s 5-year life. The contractor is to support FinCEN\xe2\x80\x99s\n                       Technology Solutions and Services Division by providing a full\n                       range of information technology (IT) services, custom applications,\n                       maintenance support, and infrastructure support necessary to\n                       implement the FinCEN IT operational objectives that will evolve\n                       over the course of the contract. Numerous program-related task\n                       orders associated with the contract are to be issued during the 5-\n                       year contract period.\n\n                       FinCEN is using the Acquisitions Services Directorate of the U.S.\n                       Department of the Interior as the contract office to administer the\n                       contract. FinCEN chose this office because of its prior experience\n                       handling large, complex procurements.\n\n\n\n\n26\n   An IDIQ contract provides for an indefinite quantity of services during a fixed period of time. This\ntype of contract is used when it cannot be predetermined, above a specified minimum, the precise\nquantities of supplies or services that the government will require during the contract period. IDIQ\ncontracts are most often used for service contracts and architect-engineering services. An IDIQ contract\nis flexible, especially when not all the requirements are known at the start of a contract and is\nconducive to a modular approach, which would be one with phases or milestones.\n27\n   The IDIQ contract was transferred from BearingPoint, Inc., to Deloitte Consulting, LLP on October 1,\n2009 after Deloitte Consulting, LLP, purchased substantially all of the assets of Bearing Point, Inc.,\nPublic Service Division.\n\n                       FinCEN\xe2\x80\x99s BSA IT Modernization Program Is on Schedule and Within Cost,    Page 30\n                       But Requires Continued Attention to Ensure Successful Completion\n                       (OIG-12-047)\n\x0c                   Appendix 3\n                   BSA Data Flow Environment\n\n\n\n\nThe following is a depiction of the current environment for the flow of electronic and\npaper Bank Secrecy Act (BSA) filing data into the Internal Revenue Service\xe2\x80\x99s (IRS)\nlegacy system of record (SOR). Electronic filing is processed through FinCEN\xe2\x80\x99s BSA\nE-filing system directly into the Web-based Currency and Banking Retrieval System\n(WebCBRS). Paper filing is processed by IRS (keypunched by a contractor) and is then\nentered into WebCBRS. Once entered into IRS\xe2\x80\x99s SOR, the data is accessable by IRS,\nFinancial Crimes Enforcement Network (FinCEN), and other users of the data.\n\n\n\n\n Source: FinCEN.\n\n\n\n\n                   FinCEN\xe2\x80\x99s BSA IT Modernization Program Is on Schedule and Within Cost,   Page 31\n                   But Requires Continued Attention to Ensure Successful Completion\n                   (OIG-12-047)\n\x0c                   Appendix 3\n                   BSA Data Flow Environment\n\n\n\n\nThis depiction shows the interim operating environment, which is planned to\naccommodate IRS\xe2\x80\x99s need to have data provided to WebCBRS in the legacy format.\nData is to be mapped from BSA E-filing back to the IRS format for entry into\nWebCBRS. FinCEN will also process all BSA reports through BSA E-filing and the data\nwill be directly entered into the BSA IT Mod system.\n\n\n\n\n Source: FinCEN.\n\n\n\n\n                   FinCEN\xe2\x80\x99s BSA IT Modernization Program Is on Schedule and Within Cost,   Page 32\n                   But Requires Continued Attention to Ensure Successful Completion\n                   (OIG-12-047)\n\x0c                    Appendix 3\n                    BSA Data Flow Environment\n\n\n\n\nThis is a depiction of FinCEN\xe2\x80\x99s planned final BSA IT Mod environment, which assumes\nIRS will retire WebCBRS. When (and if) this occurs, all BSA reports will be filed by\nBSA E-filing directly into BSA IT Mod. IRS will become a user of the data in the same\nmanner as other external stakeholders (law enforcement, regulators, and others), and\nthe re-mapping of data back to the WebCBRS legacy format will no longer be\nnecessary.\n\n\n\n\n  Source: FinCEN.\n\n\n\n\n                    FinCEN\xe2\x80\x99s BSA IT Modernization Program Is on Schedule and Within Cost,   Page 33\n                    But Requires Continued Attention to Ensure Successful Completion\n                    (OIG-12-047)\n\x0cAppendix 4\nManagement Response\n\n\n\n\nFinCEN\xe2\x80\x99s BSA IT Modernization Program Is on Schedule and Within Cost,   Page 34\nBut Requires Continued Attention to Ensure Successful Completion\n(OIG-12-047)\n\x0cAppendix 4\nManagement Response\n\n\n\n\nFinCEN\xe2\x80\x99s BSA IT Modernization Program Is on Schedule and Within Cost,   Page 35\nBut Requires Continued Attention to Ensure Successful Completion\n(OIG-12-047)\n\x0cAppendix 5\nMajor Contributors to This Report\n\n\n\n\nBoston Office\n\nMark Ossinger, Audit Manager\nKenneth O\xe2\x80\x99Loughlin, Auditor-in-Charge\nJeanne DeGagne, Auditor-in-Charge\nJoshua Lee, Auditor\n\nWashington, D.C.\n\nFarbod Fakhrai, Referencer\n\n\n\n\nFinCEN\xe2\x80\x99s BSA IT Modernization Program Is on Schedule and Within Cost,   Page 36\nBut Requires Continued Attention to Ensure Successful Completion\n(OIG-12-047)\n\x0cAppendix 6\nReport Distribution\n\n\n\n\nDepartment of the Treasury\n\n    Deputy Secretary\n    Under Secretary for Terrorism and Financial Intelligence\n    Chief Information Officer\n    Office of Strategic Planning and Performance Management\n    Office of Deputy Chief Financial Officer, Risk and Control Group\n\nFinancial Crimes Enforcement Network\n\n    Director\n\nOffice of Management and Budget\n\n    OIG Budget Examiner\n\nU.S. Senate\n\n    Chairman and Ranking Member\n    Committee on Appropriations\n\n    Chairman and Ranking Member\n    Subcommittee on Financial Services and General Government\n    Committee on Appropriations\n\nU.S. House of Representatives\n\n    Chairman and Ranking Member\n    Committee on Appropriations\n\n    Chairman and Ranking Member\n    Subcommittee on Financial Services and General Government\n    Committee on Appropriations\n\n\n\n\nFinCEN\xe2\x80\x99s BSA IT Modernization Program Is on Schedule and Within Cost,   Page 37\nBut Requires Continued Attention to Ensure Successful Completion\n(OIG-12-047)\n\x0c"